Major Description
Everyone can bypassing SSL/HTTPS by entering HTTP instead of HTTPS. Because when is set <web bind="https://host:port"> element in bootstrap.xml to HTTPS, it's allow HTTP on same port too. There is still no way how to disable HTTP.
I think that right way when is HTTPS set, just disable HTTP. -> enforce to HTTPS by default.
But on other hand, if is really needed preserve working HTTP+HTTPS just add option enforceHttps=False. Or something like <web bind="http+https://host:port"> which makes more sense.